1 /*
   2  * Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
   3  * Use is subject to license terms.
   4  */
   5 
   6 
   7 /*
   8  * lib/crypto/des/string2key.c
   9  *
  10  * based on lib/crypto/des/string2key.c from MIT V5 
  11  * and on lib/des/afs_string_to_key.c from UMD.
  12  * constructed by Mark Eichin, Cygnus Support, 1995.
  13  * made thread-safe by Ken Raeburn, MIT, 2001.
  14  */
  15 
  16 /*
  17  * Copyright 2001 by the Massachusetts Institute of Technology.
  18  * All Rights Reserved.
  19  *
  20  * Export of this software from the United States of America may
  21  *   require a specific license from the United States Government.
  22  *   It is the responsibility of any person or organization contemplating
  23  *   export to obtain such a license before exporting.
  24  * 
  25  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  26  * distribute this software and its documentation for any purpose and
  27  * without fee is hereby granted, provided that the above copyright
  28  * notice appear in all copies and that both that copyright notice and
  29  * this permission notice appear in supporting documentation, and that
  30  * the name of M.I.T. not be used in advertising or publicity pertaining
  31  * to distribution of the software without specific, written prior
  32  * permission.  Furthermore if you modify this software you must label
  33  * your software as modified software and not distribute it in such a
  34  * fashion that it might be confused with the original M.I.T. software.
  35  * M.I.T. makes no representations about the suitability of
  36  * this software for any purpose.  It is provided "as is" without express
  37  * or implied warranty.
  38  */
  39 
  40 /*
  41  * Copyright (C) 1998 by the FundsXpress, INC.
  42  * 
  43  * All rights reserved.
  44  * 
  45  * Export of this software from the United States of America may require
  46  * a specific license from the United States Government.  It is the
  47  * responsibility of any person or organization contemplating export to
  48  * obtain such a license before exporting.
  49  * 
  50  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  51  * distribute this software and its documentation for any purpose and
  52  * without fee is hereby granted, provided that the above copyright
  53  * notice appear in all copies and that both that copyright notice and
  54  * this permission notice appear in supporting documentation, and that
  55  * the name of FundsXpress. not be used in advertising or publicity pertaining
  56  * to distribution of the software without specific, written prior
  57  * permission.  FundsXpress makes no representations about the suitability of
  58  * this software for any purpose.  It is provided "as is" without express
  59  * or implied warranty.
  60  * 
  61  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
  62  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  63  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  64  */
  65 
  66 #include "k5-int.h"
  67 #include "des_int.h"
  68 #include <ctype.h>
  69 
  70 #define afs_crypt mit_afs_crypt
  71 char *afs_crypt (const char *, const char *, char *);
  72 
  73 #undef min
  74 #define min(a,b) ((a)>(b)?(b):(a))
  75 
  76 /*ARGSUSED*/
  77 krb5_error_code
  78 mit_afs_string_to_key (krb5_context context,
  79                     krb5_keyblock *keyblock, const krb5_data *data,
  80                     const krb5_data *salt)
  81 {
  82     /* Solaris Kerberos */
  83     krb5_error_code retval = KRB5_PROG_ETYPE_NOSUPP;
  84 /* EXPORT DELETE START */
  85   /* totally different approach from MIT string2key. */
  86   /* much of the work has already been done by the only caller 
  87      which is mit_des_string_to_key; in particular, *keyblock is already 
  88      set up. */
  89   
  90     char *realm = salt->data;
  91     unsigned int i, j;
  92     krb5_octet *key = keyblock->contents;
  93     /* Solaris Kerberos */
  94     krb5_keyblock usekey;
  95 
  96     if (data->length <= 8) {
  97       /* One block only.  Run afs_crypt and use the first eight
  98          returned bytes after the copy of the (fixed) salt.
  99 
 100          Since the returned bytes are alphanumeric, the output is
 101          limited to 2**48 possibilities; for each byte, only 64
 102          possible values can be used.  */
 103       unsigned char password[9]; /* trailing nul for crypt() */
 104       char afs_crypt_buf[16];
 105 
 106       memset (password, 0, sizeof (password));
 107       memcpy (password, realm, min (salt->length, 8));
 108       for (i=0; i<8; i++)
 109         if (isupper(password[i]))
 110           password[i] = tolower(password[i]);
 111       for (i=0; i<data->length; i++)
 112         password[i] ^= data->data[i];
 113       for (i=0; i<8; i++)
 114         if (password[i] == '\0')
 115           password[i] = 'X';
 116       password[8] = '\0';
 117       /* Out-of-bounds salt characters are equivalent to a salt string
 118          of "p1".  */
 119       strncpy((char *) key,
 120               (char *) afs_crypt((char *) password, "#~", afs_crypt_buf) + 2,
 121               8);
 122       for (i=0; i<8; i++)
 123         key[i] <<= 1;
 124       /* now fix up key parity again */
 125       mit_des_fixup_key_parity(key);
 126       /* clean & free the input string */
 127       memset(password, 0, (size_t) sizeof(password));
 128 
 129       /* Solaris Kerberos: Success */
 130       retval = 0;
 131     } else {
 132       /* Multiple blocks.  Do a CBC checksum, twice, and use the
 133          result as the new key.  */
 134       mit_des_cblock ikey, tkey;
 135       unsigned int pw_len = salt->length+data->length;
 136       unsigned char *password = malloc(pw_len+1);
 137       if (!password) return ENOMEM;
 138 
 139       /* Some bound checks from the original code are elided here as
 140          the malloc above makes sure we have enough storage. */
 141       memcpy (password, data->data, data->length);
 142       for (i=data->length, j = 0; j < salt->length; i++, j++) {
 143         password[i] = realm[j];
 144         if (isupper(password[i]))
 145           password[i] = tolower(password[i]);
 146       }
 147         
 148       memcpy (ikey, "kerberos", sizeof(ikey));
 149       memcpy (tkey, ikey, sizeof(tkey));
 150       mit_des_fixup_key_parity (tkey);
 151 
 152     /* Solaris Kerberos */
 153       usekey.enctype = ENCTYPE_DES_CBC_CRC;
 154       usekey.contents = tkey;
 155       usekey.length = 8;
 156       retval = mit_des_cbc_cksum (context, (unsigned char *)password,
 157                                 tkey, i, &usekey, ikey);
 158 
 159       memcpy (ikey, tkey, sizeof(ikey));
 160       mit_des_fixup_key_parity (tkey);
 161       /* Solaris Kerberos */
 162       if (usekey.hKey != CK_INVALID_HANDLE) {
 163          (void) C_DestroyObject(krb_ctx_hSession(context), usekey.hKey);
 164          usekey.hKey = CK_INVALID_HANDLE;
 165       }
 166       usekey.contents = tkey;
 167       usekey.length = 8;
 168       retval = mit_des_cbc_cksum (context, (unsigned char *) password,
 169                                 key, i, &usekey, ikey);
 170 
 171       /* now fix up key parity again */
 172       mit_des_fixup_key_parity(key);
 173       
 174       /* Solaris Kerberos */
 175       if (usekey.hKey != CK_INVALID_HANDLE) {
 176          (void) C_DestroyObject(krb_ctx_hSession(context), usekey.hKey);
 177          usekey.hKey = CK_INVALID_HANDLE;
 178       }
 179       /* clean & free the input string */
 180       memset(password, 0, (size_t) pw_len);
 181       krb5_xfree(password);
 182     }
 183 #if 0
 184     /* must free here because it was copied for this special case */
 185     krb5_xfree(salt->data);
 186 #endif
 187 
 188 /* EXPORT DELETE END */
 189     return retval;
 190 }
 191 
 192 
 193 /* Portions of this code:
 194    Copyright 1989 by the Massachusetts Institute of Technology
 195    */
 196  
 197 /*
 198  * Copyright (c) 1990 Regents of The University of Michigan.
 199  * All Rights Reserved.
 200  *
 201  * Permission to use, copy, modify, and distribute this software
 202  * and its documentation for any purpose and without fee is hereby
 203  * granted, provided that the above copyright notice appears in all
 204  * copies and that both that copyright notice and this permission
 205  * notice appear in supporting documentation, and that the name of
 206  * The University of Michigan not be used in advertising or
 207  * publicity pertaining to distribution of the software without
 208  * specific, written prior permission. This software is supplied as
 209  * is without expressed or implied warranties of any kind.
 210  *
 211  *      ITD Research Systems
 212  *      University of Michigan
 213  *      535 W. William Street
 214  *      Ann Arbor, Michigan
 215  *      +1-313-936-2652
 216  *      netatalk@terminator.cc.umich.edu
 217  */
 218 
 219 /* EXPORT DELETE START */
 220 
 221 static void krb5_afs_crypt_setkey (char*, char*, char(*)[48]);
 222 static void krb5_afs_encrypt (char*,char*,char (*)[48]);
 223 
 224 /*
 225  * Initial permutation,
 226  */
 227 static const char       IP[] = {
 228         58,50,42,34,26,18,10, 2,
 229         60,52,44,36,28,20,12, 4,
 230         62,54,46,38,30,22,14, 6,
 231         64,56,48,40,32,24,16, 8,
 232         57,49,41,33,25,17, 9, 1,
 233         59,51,43,35,27,19,11, 3,
 234         61,53,45,37,29,21,13, 5,
 235         63,55,47,39,31,23,15, 7,
 236 };
 237  
 238 /*
 239  * Final permutation, FP = IP^(-1)
 240  */
 241 static const char       FP[] = {
 242         40, 8,48,16,56,24,64,32,
 243         39, 7,47,15,55,23,63,31,
 244         38, 6,46,14,54,22,62,30,
 245         37, 5,45,13,53,21,61,29,
 246         36, 4,44,12,52,20,60,28,
 247         35, 3,43,11,51,19,59,27,
 248         34, 2,42,10,50,18,58,26,
 249         33, 1,41, 9,49,17,57,25,
 250 };
 251  
 252 /*
 253  * Permuted-choice 1 from the key bits to yield C and D.
 254  * Note that bits 8,16... are left out: They are intended for a parity check.
 255  */
 256 static const char       PC1_C[] = {
 257         57,49,41,33,25,17, 9,
 258          1,58,50,42,34,26,18,
 259         10, 2,59,51,43,35,27,
 260         19,11, 3,60,52,44,36,
 261 };
 262  
 263 static const char       PC1_D[] = {
 264         63,55,47,39,31,23,15,
 265          7,62,54,46,38,30,22,
 266         14, 6,61,53,45,37,29,
 267         21,13, 5,28,20,12, 4,
 268 };
 269  
 270 /*
 271  * Sequence of shifts used for the key schedule.
 272  */
 273 static const char       shifts[] = {
 274         1,1,2,2,2,2,2,2,1,2,2,2,2,2,2,1,
 275 };
 276  
 277 /*
 278  * Permuted-choice 2, to pick out the bits from
 279  * the CD array that generate the key schedule.
 280  */
 281 static const char       PC2_C[] = {
 282         14,17,11,24, 1, 5,
 283          3,28,15, 6,21,10,
 284         23,19,12, 4,26, 8,
 285         16, 7,27,20,13, 2,
 286 };
 287  
 288 static const char       PC2_D[] = {
 289         41,52,31,37,47,55,
 290         30,40,51,45,33,48,
 291         44,49,39,56,34,53,
 292         46,42,50,36,29,32,
 293 };
 294  
 295 /*
 296  * The E bit-selection table.
 297  */
 298 static const char       e[] = {
 299         32, 1, 2, 3, 4, 5,
 300          4, 5, 6, 7, 8, 9,
 301          8, 9,10,11,12,13,
 302         12,13,14,15,16,17,
 303         16,17,18,19,20,21,
 304         20,21,22,23,24,25,
 305         24,25,26,27,28,29,
 306         28,29,30,31,32, 1,
 307 };
 308  
 309 /*
 310  * P is a permutation on the selected combination
 311  * of the current L and key.
 312  */
 313 static const char       P[] = {
 314         16, 7,20,21,
 315         29,12,28,17,
 316          1,15,23,26,
 317          5,18,31,10,
 318          2, 8,24,14,
 319         32,27, 3, 9,
 320         19,13,30, 6,
 321         22,11, 4,25,
 322 };
 323  
 324 /*
 325  * The 8 selection functions.
 326  * For some reason, they give a 0-origin
 327  * index, unlike everything else.
 328  */
 329 static const char       S[8][64] = {
 330         {14, 4,13, 1, 2,15,11, 8, 3,10, 6,12, 5, 9, 0, 7,
 331           0,15, 7, 4,14, 2,13, 1,10, 6,12,11, 9, 5, 3, 8,
 332           4, 1,14, 8,13, 6, 2,11,15,12, 9, 7, 3,10, 5, 0,
 333          15,12, 8, 2, 4, 9, 1, 7, 5,11, 3,14,10, 0, 6,13},
 334  
 335         {15, 1, 8,14, 6,11, 3, 4, 9, 7, 2,13,12, 0, 5,10,
 336           3,13, 4, 7,15, 2, 8,14,12, 0, 1,10, 6, 9,11, 5,
 337           0,14, 7,11,10, 4,13, 1, 5, 8,12, 6, 9, 3, 2,15,
 338          13, 8,10, 1, 3,15, 4, 2,11, 6, 7,12, 0, 5,14, 9},
 339  
 340         {10, 0, 9,14, 6, 3,15, 5, 1,13,12, 7,11, 4, 2, 8,
 341          13, 7, 0, 9, 3, 4, 6,10, 2, 8, 5,14,12,11,15, 1,
 342          13, 6, 4, 9, 8,15, 3, 0,11, 1, 2,12, 5,10,14, 7,
 343           1,10,13, 0, 6, 9, 8, 7, 4,15,14, 3,11, 5, 2,12},
 344  
 345         { 7,13,14, 3, 0, 6, 9,10, 1, 2, 8, 5,11,12, 4,15,
 346          13, 8,11, 5, 6,15, 0, 3, 4, 7, 2,12, 1,10,14, 9,
 347          10, 6, 9, 0,12,11, 7,13,15, 1, 3,14, 5, 2, 8, 4,
 348           3,15, 0, 6,10, 1,13, 8, 9, 4, 5,11,12, 7, 2,14},
 349  
 350         { 2,12, 4, 1, 7,10,11, 6, 8, 5, 3,15,13, 0,14, 9,
 351          14,11, 2,12, 4, 7,13, 1, 5, 0,15,10, 3, 9, 8, 6,
 352           4, 2, 1,11,10,13, 7, 8,15, 9,12, 5, 6, 3, 0,14,
 353          11, 8,12, 7, 1,14, 2,13, 6,15, 0, 9,10, 4, 5, 3},
 354  
 355         {12, 1,10,15, 9, 2, 6, 8, 0,13, 3, 4,14, 7, 5,11,
 356          10,15, 4, 2, 7,12, 9, 5, 6, 1,13,14, 0,11, 3, 8,
 357           9,14,15, 5, 2, 8,12, 3, 7, 0, 4,10, 1,13,11, 6,
 358           4, 3, 2,12, 9, 5,15,10,11,14, 1, 7, 6, 0, 8,13},
 359  
 360         { 4,11, 2,14,15, 0, 8,13, 3,12, 9, 7, 5,10, 6, 1,
 361          13, 0,11, 7, 4, 9, 1,10,14, 3, 5,12, 2,15, 8, 6,
 362           1, 4,11,13,12, 3, 7,14,10,15, 6, 8, 0, 5, 9, 2,
 363           6,11,13, 8, 1, 4,10, 7, 9, 5, 0,15,14, 2, 3,12},
 364  
 365         {13, 2, 8, 4, 6,15,11, 1,10, 9, 3,14, 5, 0,12, 7,
 366           1,15,13, 8,10, 3, 7, 4,12, 5, 6,11, 0,14, 9, 2,
 367           7,11, 4, 1, 9,12,14, 2, 0, 6,10,13,15, 3, 5, 8,
 368           2, 1,14, 7, 4,10, 8,13,15,12, 9, 0, 3, 5, 6,11},
 369 };
 370  
 371  
 372 char *afs_crypt(const char *pw, const char *salt,
 373                 /* must be at least 16 bytes */
 374                 char *iobuf)
 375 {
 376         int i, j, c;
 377         int temp;
 378         char block[66];
 379         char E[48];
 380         /*
 381          * The key schedule.
 382          * Generated from the key.
 383          */
 384         char KS[16][48];
 385  
 386         for(i=0; i<66; i++)
 387                 block[i] = 0;
 388         /* Solaris Kerberos */
 389         for(i=0; ((c= *pw) != NULL) && i<64; pw++){
 390                 for(j=0; j<7; j++, i++)
 391                         block[i] = (c>>(6-j)) & 01;
 392                 i++;
 393         }
 394         
 395         krb5_afs_crypt_setkey(block, E, KS);
 396 
 397         for(i=0; i<66; i++)
 398                 block[i] = 0;
 399 
 400         for(i=0;i<2;i++){
 401                 c = *salt++;
 402                 iobuf[i] = c;
 403                 if(c>'Z') c -= 6;
 404                 if(c>'9') c -= 7;
 405                 c -= '.';
 406                 for(j=0;j<6;j++){
 407                         if((c>>j) & 01){
 408                                 temp = E[6*i+j];
 409                                 E[6*i+j] = E[6*i+j+24];
 410                                 E[6*i+j+24] = temp;
 411                                 }
 412                         }
 413                 }
 414         
 415         for(i=0; i<25; i++)
 416                 krb5_afs_encrypt(block,E,KS);
 417         
 418         for(i=0; i<11; i++){
 419                 c = 0;
 420                 for(j=0; j<6; j++){
 421                         c <<= 1;
 422                         c |= block[6*i+j];
 423                         }
 424                 c += '.';
 425                 if(c>'9') c += 7;
 426                 if(c>'Z') c += 6;
 427                 iobuf[i+2] = c;
 428         }
 429         iobuf[i+2] = 0;
 430         if(iobuf[1]==0)
 431                 iobuf[1] = iobuf[0];
 432         return(iobuf);
 433 }
 434 
 435 /*
 436  * Set up the key schedule from the key.
 437  */
 438  
 439 static void krb5_afs_crypt_setkey(char *key, char *E, char (*KS)[48])
 440 {
 441         register int i, j, k;
 442         int t;
 443         /*
 444          * The C and D arrays used to calculate the key schedule.
 445          */
 446         char C[28], D[28];
 447  
 448         /*
 449          * First, generate C and D by permuting
 450          * the key.  The low order bit of each
 451          * 8-bit char is not used, so C and D are only 28
 452          * bits apiece.
 453          */
 454         for (i=0; i<28; i++) {
 455                 C[i] = key[PC1_C[i]-1];
 456                 D[i] = key[PC1_D[i]-1];
 457         }
 458         /*
 459          * To generate Ki, rotate C and D according
 460          * to schedule and pick up a permutation
 461          * using PC2.
 462          */
 463         for (i=0; i<16; i++) {
 464                 /*
 465                  * rotate.
 466                  */
 467                 for (k=0; k<shifts[i]; k++) {
 468                         t = C[0];
 469                         for (j=0; j<28-1; j++)
 470                                 C[j] = C[j+1];
 471                         C[27] = t;
 472                         t = D[0];
 473                         for (j=0; j<28-1; j++)
 474                                 D[j] = D[j+1];
 475                         D[27] = t;
 476                 }
 477                 /*
 478                  * get Ki. Note C and D are concatenated.
 479                  */
 480                 for (j=0; j<24; j++) {
 481                         KS[i][j] = C[PC2_C[j]-1];
 482                         KS[i][j+24] = D[PC2_D[j]-28-1];
 483                 }
 484         }
 485  
 486 #if 0
 487         for(i=0;i<48;i++) {
 488                 E[i] = e[i];
 489         }
 490 #else
 491         memcpy(E, e, 48);
 492 #endif
 493 }
 494  
 495 /*
 496  * The payoff: encrypt a block.
 497  */
 498  
 499 static void krb5_afs_encrypt(char *block, char *E, char (*KS)[48])
 500 {
 501         const long edflag = 0;
 502         int i, ii;
 503         int t, j, k;
 504         char tempL[32];
 505         char f[32];
 506         /*
 507          * The current block, divided into 2 halves.
 508          */
 509         char L[64];
 510         char *const R = &L[32];
 511         /*
 512          * The combination of the key and the input, before selection.
 513          */
 514         char preS[48];
 515 
 516         /*
 517          * First, permute the bits in the input
 518          */
 519         for (j=0; j<64; j++)
 520                 L[j] = block[IP[j]-1];
 521         /*
 522          * Perform an encryption operation 16 times.
 523          */
 524         for (ii=0; ii<16; ii++) {
 525                 /*
 526                  * Set direction
 527                  */
 528                 if (edflag)
 529                         i = 15-ii;
 530                 else
 531                         i = ii;
 532                 /*
 533                  * Save the R array,
 534                  * which will be the new L.
 535                  */
 536 #if 0
 537                 for (j=0; j<32; j++)
 538                         tempL[j] = R[j];
 539 #else
 540                 memcpy(tempL, R, 32);
 541 #endif
 542                 /*
 543                  * Expand R to 48 bits using the E selector;
 544                  * exclusive-or with the current key bits.
 545                  */
 546                 for (j=0; j<48; j++)
 547                         preS[j] = R[E[j]-1] ^ KS[i][j];
 548                 /*
 549                  * The pre-select bits are now considered
 550                  * in 8 groups of 6 bits each.
 551                  * The 8 selection functions map these
 552                  * 6-bit quantities into 4-bit quantities
 553                  * and the results permuted
 554                  * to make an f(R, K).
 555                  * The indexing into the selection functions
 556                  * is peculiar; it could be simplified by
 557                  * rewriting the tables.
 558                  */
 559                 for (j=0; j<8; j++) {
 560                         t = 6*j;
 561                         k = S[j][(preS[t+0]<<5)+
 562                                 (preS[t+1]<<3)+
 563                                 (preS[t+2]<<2)+
 564                                 (preS[t+3]<<1)+
 565                                 (preS[t+4]<<0)+
 566                                 (preS[t+5]<<4)];
 567                         t = 4*j;
 568                                 f[t+0] = (k>>3)&01;
 569                                 f[t+1] = (k>>2)&01;
 570                                 f[t+2] = (k>>1)&01;
 571                                 f[t+3] = (k>>0)&01;
 572                 }
 573                 /*
 574                  * The new R is L ^ f(R, K).
 575                  * The f here has to be permuted first, though.
 576                  */
 577                 for (j=0; j<32; j++)
 578                         R[j] = L[j] ^ f[P[j]-1];
 579                 /*
 580                  * Finally, the new L (the original R)
 581                  * is copied back.
 582                  */
 583 #if 0
 584                 for (j=0; j<32; j++)
 585                         L[j] = tempL[j];
 586 #else
 587                 memcpy(L, tempL, 32);
 588 #endif
 589         }
 590         /*
 591          * The output L and R are reversed.
 592          */
 593         for (j=0; j<32; j++) {
 594                 t = L[j];
 595                 L[j] = R[j];
 596                 R[j] = t;
 597         }
 598         /*
 599          * The final output
 600          * gets the inverse permutation of the very original.
 601          */
 602         for (j=0; j<64; j++)
 603                 block[j] = L[FP[j]-1];
 604 }
 605 /* EXPORT DELETE END */